The breach was made public fairly rapidly by many of today’s standards. The vulnerability was discovered and closed on 20 October, although it appears that state employees were aware of the attacks by 10 October. Nevertheless, SC State Senator Vincent Sheehan was scathing: “For Governor Haley and her administration to withhold news from us for sixteen days that our personal identity information has been stolen from state computers is completely unacceptable,” he suggested. “And to wait until a Friday afternoon to release this information is nothing more than a slick public relations trick trying to minimize political damage.”
Security firm Mandiant was brought in “upon the recommendation of law enforcement officials... to assist in the investigation, help secure the system, install new equipment and software and institute tighter controls on access,” announced state officials. The investigations suggest that the intrusions occurred some five times from late-August to mid-October, with the majority of the data stolen during August. Officials stress that no public funds have been stolen or put at risk, and that the credit card details are old and likely to be of little value to the thieves.
State Governor Nikki Haley reacted angrily against the hacker at a news conference in the state capital of Columbia. "I want this person slammed against the wall," she said. “I want that man just brutalized.” Security people will, however, wonder why 3.6 million SSNs were stored unencrypted. In many ways these are more valuable to thieves than the card details since they provide the opportunity for complete identity theft, including the ability to open bank accounts, take out loans and buy property; and unlike card numbers they do not expire.
Noticeably, the South Carolina announcement came just one day after the UK’s Information Commissioner announced a £120,000 fine on a local authority that had exposed sensitive information. “If this data had been encrypted then the information would have stayed secure,” he announced. “Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.” The anger voiced by the South Carolina Governor may simply be a way of deflecting criticism in what can only be seen as a failure of security.
Government websites are a favorite target for hackers. According to the Privacy Rights Clearinghouse, there have been more than 30 hacks into government computers in the US this year alone. Little is yet known of this particular hack, although it is suggested that the intrusion originated from a foreign IP address. Officials are urging anyone who filed a South Carolina tax return since 1998 to find out whether their information was affected. Governor Nikki Haley added, “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.” Kaspersky Lab also suggests that South Carolina taxpayers should “check their statements for unusual activity and consider a security or credit freeze to prevent illegal use of the financial data.”
But there is a further concern for security specialists. The first (known) intrusion was traced to August, but was only discovered on or after 10 October. “The fact that it took [more than] a month for this incident to be detected shows that traditional IT security defenses are no longer effective,” Frank Coggrave of Guidance Software told Infosecurity. “The cyber criminal of today, who is driven by political or financial motivations, gets in, does their dirty work, and gets out as quickly and quietly as possible - therefore it’s often weeks before an incident is detected. The truth is that the vast majority of organizations that have been hacked do not even know until they have been informed by an external group, and by then it’s far too late. In order to limit the reputational and financial damage that these incidents can cause, organizations must adapt their thinking to suit the tactics and motivations of the modern cyber criminal.”